While using Windows Updates for Business (WUfB) is not for everyone, its simplicity and familiar end-user experience make it quite attractive to many organizations. One thing that WUfB does not provide today is updates for third-party products. For that, you need to continue to use an on-premises solution like Microsoft Endpoint Manager Configuration Manager to complement WUfB.
Ultimately, deploying third-party updates when using WUfB is no different than deploying them using Configuration Manager by itself. Enabling third-party updates with WUfB requires the following three things:
- Enable and configure WUfB.
To enable WUfB, configure any WUfB related policy or setting using one of the following methods:- Group policy or MDM: Configure Windows Update for Business
- Configuration Manager: Integrate with Windows Update for Business
- Intune: Manage Windows 10 software updates in Intune
- Configure and enable software updates in Configuration Manager.
See Plan for software updates in Configuration Manager if necessary. - Configure and enable third-party updates in Configuration Manager.
Do this using a handful of different methods, including the following:- System Center Update Publisher (SCUP).
- The third-party updates feature set built into Configuration Manager.
- A tool from a third-party.
So, how does Configuration Manager work with WUfB to deliver third-party updates? The answer is dual-scan. Note that although dual-scan did cause some confusion in the past that resulted in the unintended installation of updates, you should not be afraid of it once you see how it works (as described in this post).
Dual-scan
Dual-scan is a feature of the Windows Update (WU) client. It enables the WU client to use WUfB and an on-premises WSUS instance to scan for update applicability and compliance. When you enable dual-scan, the WU client uses WUfB (and only WUfB) for Windows product updates and WSUS for non-Windows updates.
To enable dual-scan, enable a WUfB deferral policy on a system with a local WSUS server configured. This can be a WSUS server integrated into and automatically configured by, Configuration Manager (the scenario discussed here) or a stand-alone WSUS server. That’s all there is to it.
If you don’t want dual-scan, don’t enable any WUfB deferral policies. This is where a disconnect usually happens, as these policies are for WUfB only. They have no effect or purpose if another solution for deploying Windows updates is used, like Configuration Manager or WSUS, but they enable dual-scan.
See Using ConfigMgr With Windows 10 WUfB Deferral Policies for further details on dual-scan and explicitly stopping it.
Results
To prove out deploying third-party updates using Configuration Manager with WUfB enabled, I used one of the existing co-managed systems in my lab. The name of this system is ELKWIN2.
WUfB Configured
ELKWIN2 started life as a Windows 10 1909 system and was updated to 2004 using WUfB; it continues to receive quality updates from WUfB. You can see the Windows Update configuration in the following two screenshots from ELKWIN2, confirming the WUfB configuration.
Software Updates Configured
Even though WUfB is configured on ELKWIN2 using Intune, the Configuration Manager Software Updates configuration is still targeted to the system and still applies to the system. Since ELKWIN2 is configured for WUfB and has a local WSUS server configured, dual-scan is also enabled. The following two screenshots show the WSUS server configuration and local group policies configured by the Configuration Manager agent.
Third-party Updates Configured
For this, I created a custom update (for a custom application) in SCUP and published it to the Windows Server Update Services (WSUS) server integrated with the Configuration Manager site in my lab. After synchronizing the update catalog in Configuration Manager, the update showed up in the All Software Updates view, ready for compliance scanning and deployment.
I then initiated a Software Update Scan Cycle from the Actions tab in the Configuration Manager Control Panel applet on ELKWIN2. Finally, I forced ELKWIN2 to send all queued state messages to the site and checked the reports.
As the reports show, ELKWIN2 requires the FakeApp 2.0 Upgrade. Also, note that no Windows updates show at all for ELKWIN2. That’s dual-scan at work. All that is necessary now is to download and deploy the update or configure an Automatic Deployment Rule to do this for us.
Conclusion
Even though WUfB doesn’t support third-party updates, it’s still possible to deploy and manage them using the ever-faithful Configuration Manager and the built-in Windows dual-scan functionality.